Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci-triage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
persist-credentials: false

- name: Post triage comment
uses: actions/github-script@v9
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const fs = require("fs");
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ jobs:
uses: ./.github/actions/setup-node-cached

- name: Setup Deno
uses: denoland/setup-deno@v2
uses: denoland/setup-deno@22d081ff2d3a40755e97629de92e3bcbfa7cf2ed # v2.0.5
with:
deno-version: v2.x

Expand Down Expand Up @@ -258,7 +258,7 @@ jobs:

- name: Upload UI regression diagnostics
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: ui-regression-diagnostics-${{ github.run_id }}
path: |
Expand Down Expand Up @@ -302,7 +302,7 @@ jobs:

- name: Upload quarantine diagnostics
if: failure() && steps.quarantine.outputs.present == 'true'
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: quarantine-ui-diagnostics-${{ github.run_id }}
path: |
Expand All @@ -321,7 +321,7 @@ jobs:
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3
with:
persist-credentials: false

Expand All @@ -333,7 +333,7 @@ jobs:

- name: Upload mockup UI diagnostics
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: mockup-ui-diagnostics-${{ github.run_id }}
path: |
Expand All @@ -354,13 +354,13 @@ jobs:
persist-credentials: false

- name: Setup Supabase CLI
uses: supabase/setup-cli@v3
uses: supabase/setup-cli@46f7f98c7f948ad727d22c1e67fab04c223a0520 # v3
with:
version: ${{ env.SUPABASE_CLI_VERSION }}

- name: Restore Supabase Docker image cache
id: supabase-docker-cache
uses: actions/cache@v6
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6
with:
path: /tmp/supabase-docker-cache
key: supabase-docker-${{ runner.os }}-cli-${{ env.SUPABASE_CLI_VERSION }}-${{ hashFiles('supabase/config.toml') }}
Expand Down Expand Up @@ -499,7 +499,7 @@ jobs:

- name: Restore browser cache
id: pw-cache
uses: actions/cache@v6
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6
with:
path: ~/.cache/ms-playwright
key: playwright-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
Expand All @@ -519,7 +519,7 @@ jobs:

- name: Upload UI diagnostics
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: release-ui-diagnostics-${{ github.run_id }}
path: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/dependency-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@ jobs:
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3
with:
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@v5
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: ".nvmrc"
cache: npm
Expand All @@ -45,7 +45,7 @@ jobs:
run: node scripts/dependency-report.mjs --out dependency-report.md

- name: Publish to rolling issue
uses: actions/github-script@v9
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
# Pass step outputs via env (not inline template expansion) to avoid the
# GitHub Actions template-injection pattern, even though both values are
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/docker-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,10 +60,10 @@ jobs:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4

- name: Build app image (no push)
uses: docker/build-push-action@v7
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7
with:
context: .
file: Dockerfile
Expand All @@ -85,10 +85,10 @@ jobs:
persist-credentials: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4

- name: Build worker image (no push)
uses: docker/build-push-action@v7
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7
with:
context: .
file: Dockerfile.worker
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/eval-canary.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
fi

- name: Setup Node.js
uses: actions/setup-node@v5
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: ".nvmrc"
cache: npm
Expand Down Expand Up @@ -105,7 +105,7 @@ jobs:

- name: Open or update canary failure issue
if: failure() && github.event_name == 'schedule'
uses: actions/github-script@v9
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const label = "eval-canary";
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ingestion-autopilot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ jobs:
fi

- name: Setup Node.js
uses: actions/setup-node@v5
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: ".nvmrc"
cache: npm
Expand Down Expand Up @@ -82,7 +82,7 @@ jobs:

- name: Open or update alert issue
if: failure() && github.event_name == 'schedule'
uses: actions/github-script@v9
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const label = "ingestion-autopilot";
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/live-drift.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
fi

- name: Setup Node.js
uses: actions/setup-node@v5
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: ".nvmrc"
cache: npm
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ops-digest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ jobs:
fi

- name: Setup Node.js
uses: actions/setup-node@v5
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: ".nvmrc"

Expand All @@ -56,7 +56,7 @@ jobs:
run: node scripts/ops-digest.mjs --out digest.md

- name: Publish to rolling issue
uses: actions/github-script@v9
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const fs = require("fs");
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/secret-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,6 @@ jobs:
# gitleaks/gitleaks-action@v3 does not support the merge_group event;
# the scan already ran on pull_request so skipping here is safe.
if: github.event_name != 'merge_group'
uses: gitleaks/gitleaks-action@v3
uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6 changes: 3 additions & 3 deletions .github/workflows/staging-tenancy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,12 @@ jobs:
timeout-minutes: 20
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@9f698171ed81b15d1823a05fc7211befd50c8ae0 # v6.0.3
with:
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@v5
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
with:
node-version-file: ".nvmrc"
cache: npm
Expand Down Expand Up @@ -52,7 +52,7 @@ jobs:

- name: Upload tenancy evidence
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: staging-tenancy-evidence-${{ github.run_id }}
path: artifacts/staging-tenancy-evidence.json
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/summary.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:

- name: Run AI inference
id: inference
uses: actions/ai-inference@v2
uses: actions/ai-inference@a7805884c80886efc241e94a5351df715968a0ad # v2
with:
prompt: |
You are summarizing a GitHub issue.
Expand All @@ -49,7 +49,7 @@ jobs:

- name: Comment with AI summary
if: github.event.issue.state == 'open'
uses: peter-evans/create-or-update-comment@v5
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
issue-number: ${{ github.event.issue.number }}
Expand Down
1 change: 1 addition & 0 deletions docs/branch-review-ledger.md
Original file line number Diff line number Diff line change
Expand Up @@ -560,3 +560,4 @@ Use this ledger to prevent repeated branch and PR reviews when the reviewed HEAD
| 2026-07-15 | codex/outstanding-work-cleanup | 0c56f27a37af88a073d2bb695d2cf4c05067ff4f + working-tree diff | repo-wide outstanding-work reconciliation and cleanup | No high-confidence P0/P1 remained in the locally executable scope. Fixed the stale architecture index for DSM/specifier routes, pruned redundant Knip configuration, removed the unused `SignedImage` default export, and reconciled maintained docs so completed/superseded plans no longer present as active work. Retained explicitly blocked work: provider-gated operator actions, the live-eval shadow reindex harness, deep-memory section-ownership design, and RAG follow-ups that require live evidence or product/security decisions. Full Knip findings were triaged rather than mass-deleted; unresolved-import scan is clean. | Offline `npm run verify:cheap` passed with 2,417 tests/1 skipped; docs links 806, script refs 264, codebase index 35/35; Knip unresolved scan clean; typecheck clean; focused Vitest 15/15; env-name parity clean; `git diff --check`. Provider-backed Supabase/OpenAI/GitHub/Railway, dependency audit, browser, build, drift, and release gates not run. |
| 2026-07-15 | codex/design-polish-pass | 0c56f27a37af88a073d2bb695d2cf4c05067ff4f + reviewed working diff | full live design, responsive, UX, accessibility, design-system, routing, performance, lint, testing, documentation, and release-readiness review | No P0/P1 reproduced. Fixed the P2 duplicate phone scroll surface in the shared standalone shell and added a regression test; fixed mode-menu Tab dismissal; explicitly hid decorative dynamic icons; restricted press scaling to motion-safe environments; moved sheet backdrops and forced-colour glass/backdrop behavior onto design tokens. External target fidelity remains blocked because no independent Figma/mockup source was supplied. | Live 30-route desktop + 21-route phone sweep; targeted 320/390/639/768/1440/1920 proofs; `npm run verify:cheap` (2417 passed/1 skipped); `npm run verify:ui` (175/175); focused keyboard 1/1; accessibility media/axe 5/5; scoped Prettier, ESLint, TypeScript, type-scale, and icon-scale passed. Provider-backed checks not run. |
| 2026-07-15 | codex/documents-closed-default | 49f63791bced2b1764a11ab723aea94b45b026b6 | documents viewer disclosure defaults and related defect hunt | Fixed the inconsistent default-open document viewer sections by making indexed text, high-yield summary, tables/diagrams, and indexing details a native mutually exclusive closed disclosure group. The section navigation opens its requested disclosure and deep-linked evidence still reveals its target. The hunt also removed the explicitly open nested table-review queue, preserved printable summary content through the browser print lifecycle, and added cold-server readiness guards to the affected viewer tests. No other high-confidence default-open defect remains in the live Documents scope. | `npm run verify:cheap`; TypeScript; focused ESLint/Prettier; clean-worktree mocked Chromium coverage for deep-linked evidence, structured summary, closed/mutually-exclusive disclosures, navigation opening, and print state restore; `git diff --check`. Turbopack could not run through the local external `node_modules` junction, so clean browser verification used Next's supported Webpack dev mode. No Supabase/OpenAI/live-provider checks run. |
| 2026-07-15 | HEAD / main snapshot (detached review worktree) | 0c56f27a37af88a073d2bb695d2cf4c05067ff4f | comprehensive repository review | Changes requested: two P1 defects (high-risk clinical claim support can accept a different trigger condition on lexical overlap; document-mode URL auto-run loops on navigation and leaves search loading indefinitely), one P2 supply-chain guard gap (the action-pin checker accepts mutable major tags and ignores SHA-pinned major versions), and one P3 orientation-doc gap (DSM and legacy specifier routes are absent from the codebase index). No P0 found. | Node 24/npm 11 and `npm ls --depth=0`; format, runtime, lint, TypeScript, sitemap/brand/icon/type-scale, docs links/scripts, CI/action/Codex guards; coverage 259 files passed/1 skipped and 2,417 tests passed/1 skipped; offline RAG 36 fixtures plus 282 tests; production build/client-secret scan; deployment boot smoke; critical Chromium 8/10 with two reproducible document-search failures; accessibility 5/5; viewport/focus checks through 1920x1080. Provider-backed governance, quality, drift, tenancy, hosted CI, and the cross-browser matrix were blocked or skipped by policy/targeted failures. |
45 changes: 3 additions & 42 deletions scripts/check-github-action-pins.mjs
Original file line number Diff line number Diff line change
@@ -1,38 +1,10 @@
import { readdirSync, readFileSync } from "node:fs";
import path from "node:path";
import { validateActionReference } from "./github-action-pins.mjs";
import { yamlBlock } from "./yaml-contract.mjs";

const workflowDir = path.join(process.cwd(), ".github", "workflows");

const supportedMajorRanges = new Map([
[
"actions/checkout",
{
min: 4,
max: 6,
reason:
"v6 is the currently supported and documented major that this repo has vetted; upgrading to v7 should be a deliberate, reviewed decision.",
},
],
[
"peter-evans/create-or-update-comment",
{
min: 5,
max: 5,
reason: "create-or-update-comment v6 is not a documented published major for this workflow.",
},
],
[
"actions/github-script",
{
min: 8,
max: 9,
reason: "v7 uses the end-of-life Node 20 action runtime; use a Node 24 based release.",
},
],
]);

const usesPattern = /^\s*uses:\s*([^@\s]+)@v(\d+)\s*(?:#.*)?$/;
const runsOnLatestPattern = /^\s*runs-on:\s*ubuntu-latest\s*(?:#.*)?$/;
const failures = [];
const expectedSupabaseCliVersion = "2.108.0";
Expand All @@ -51,19 +23,8 @@ for (const fileName of readdirSync(workflowDir)
);
}

const match = line.match(usesPattern);
if (!match) return;

const [, action, rawMajor] = match;
const range = supportedMajorRanges.get(action);
if (!range) return;

const major = Number(rawMajor);
if (!Number.isInteger(major) || major < range.min || major > range.max) {
failures.push(
`${fileName}:${index + 1}: ${action}@v${rawMajor} is outside supported range v${range.min}-v${range.max}. ${range.reason}`,
);
}
const actionFailure = validateActionReference(line);
if (actionFailure) failures.push(`${fileName}:${index + 1}: ${actionFailure}`);
});
}

Expand Down
47 changes: 47 additions & 0 deletions scripts/github-action-pins.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
const reviewedActionPins = new Map([
[
"actions/checkout",
new Map([
["9f698171ed81b15d1823a05fc7211befd50c8ae0", "v6.0.3"],
["9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0", "v7.0.0"],
]),
],
["actions/setup-node", new Map([["a0853c24544627f65ddf259abe73b1d18a591444", "v5.0.0"]])],
["actions/github-script", new Map([["3a2844b7e9c422d3c10d287c895573f7108da1b3", "v9.0.0"]])],
["actions/cache", new Map([["55cc8345863c7cc4c66a329aec7e433d2d1c52a9", "v6"]])],
["actions/upload-artifact", new Map([["043fb46d1a93c77aae656e7c1c64a875d1fc6a0a", "v7"]])],
["denoland/setup-deno", new Map([["22d081ff2d3a40755e97629de92e3bcbfa7cf2ed", "v2.0.5"]])],
["supabase/setup-cli", new Map([["46f7f98c7f948ad727d22c1e67fab04c223a0520", "v3"]])],
["gitleaks/gitleaks-action", new Map([["e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e", "v3"]])],
["actions/ai-inference", new Map([["a7805884c80886efc241e94a5351df715968a0ad", "v2"]])],
["peter-evans/create-or-update-comment", new Map([["e8674b075228eee787fea43ef493e45ece1004c9", "v5"]])],
["docker/setup-buildx-action", new Map([["bb05f3f5519dd87d3ba754cc423b652a5edd6d2c", "v4"]])],
["docker/build-push-action", new Map([["53b7df96c91f9c12dcc8a07bcb9ccacbed38856a", "v7"]])],
]);

const usesPattern = /^\s*(?:-\s*)?uses:\s*([^@\s]+)@([^\s#]+)(?:\s+#\s*(\S.*?))?\s*$/;
const immutableCommitSha = /^[0-9a-f]{40}$/;

export function validateActionReference(line) {
const match = line.match(usesPattern);
if (!match) return null;

const [, action, ref, versionComment] = match;
if (action.startsWith("./")) return null;
if (!immutableCommitSha.test(ref)) {
return `${action}@${ref} is mutable. Pin external actions to a reviewed 40-character commit SHA.`;
}

const reviewedPins = reviewedActionPins.get(action);
if (!reviewedPins) {
return `${action}@${ref} is not in the reviewed action allowlist.`;
}
const expectedVersion = reviewedPins.get(ref);
if (!expectedVersion) {
return `${action}@${ref} is not a reviewed commit SHA for this action.`;
}
if (versionComment !== expectedVersion) {
return `${action}@${ref} must retain the exact reviewed release comment '# ${expectedVersion}'.`;
}
return null;
}
Loading